Alert Policies description - discrepancies between documentation and dashboard.

Copper Contributor

Hi,

Trying to understand the difference between alert policies but documentation doesn't list what i see.

Doc used is https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies

 

in microsoft365 defender aka https://security.microsoft.com/alertpolicies i can see the following :

- A user clicked through to a potentially malicious URL - We have detected that one of your users has recently clicked through on a link that was found to be malicious. -V1.0.0.3

- HVE A potentially malicious URL click was detected - We have detected that one of your HVE users has recently clicked on a link that was found to be malicious -V1.0.0.1

- A potentially malicious URL click was detected - We have detected that one of your users has recently clicked on a link that was found to be malicious. -V1.0.0.5

 

the documentation only mentions : 

- A potentially malicious URL click was detected

- A user clicked through to a potentially malicious URL

 

can someone please help me correlate those ?

 

thank you

 


 

 

 

 

 

1 Reply
I have a case running with Product Support at the moment. As far as I can tell, the Alert Policy infrastructure is changing, as we have had inconsistent results since August. Functionality is also dependent on the exact products and plans applicable for your tenancy. That would not be a problem if the interface did not show active controls for (possibly) inactive features. The jury is also out on whether the administrator's exact role and rights are a factor. According to the RBAC link in the article you cited, the obvious roles should do the job but I am not so sure where the notification subsystem is concerned.

We have the HVE policy in our alert table, marked as a system threat management policy. I would say the omission is simply a case of the documentation not being up to date due to rapid change.